Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 months ago.
Improve this question
If I have AppCheck enabled, how would it be possible for an attacker to make any Firebase call they want? What other vulnerabilities exist even with AppCheck enabled on a mobile app?
Firebaser here!
Please see How strong is the security provided by App Check? in our documentation for a high level description of the security offered by App Check.
App Check is only as strong as the underlying Attestation provider (such as SafetyNet/Play Integrity on Android, Device Check/App Attest on iOS, or reCAPTCHA on Web). If an attacker can bypass the security of the attestation providers (such as tricking reCAPTCHA into believing they are not a bot, or tricking SafetyNet into believing a rooted device is legitimate) they can abuse that vector to making calls against your API.
Additionally, App Check intentionally allows for limited time-bound replay (configured by the TTL on the App Check token). This allows you to use a single attestation to protect multiple API calls. However, if an attacker uses a legitimate device to obtain a valid App Check token and then somehow intercepts that token (by either rooting the device or sniffing their network traffic), they can use the token to make calls against your API until it expires. However the cost of performing this attack generally outweighs any benefits, and becomes very costly and infeasible to perform at scale.
This is all assuming App Check is not only enabled but also enforced, and you are using it in conjunction with secure user authentication and rigorous authorization logic such as well defined Firebase Security Rules.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 4 months ago.
Improve this question
So, I am trying to safely store an authentication token using Angular, processed with additional encryption on top (in front end) and put it in browser local storage (so that not anyone can de-code it).
Many people recommend this method, but I came across several opinions that say even in such case one can access your source code through your browser and get your secret key to decrypt the Auth Token (for example experienced hacker).
Many people claim that Access + Refresh tokens are the best in terms of security.
So, my question is - what are standard practices for serving/ storing authentication token? Is token encryption in local storage good implementation or should we use refresh tokens (although, they are harder to implement)?
I think you should use both a refresh and access token for maximum security...the access token should have an expiration date and should be blacklisted after rotation(when you use the refresh token to get an access token)...if you need even more security,after rotation,the user should get a new refresh and access token
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
What are the benefits/drawbacks of these Auth options, as displayed on my Firebase Auth menu?
Here is some context about my app:
My app isn't security critical, hence:
I want to optimize for a quick / easy Auth experience
My app is only Mobile
I expect my users to stay logged in unless they manually sign out or are using a new / different phone.
And of course development and maintenance costs should be considered.
TL;DR Use the "additional providers" and focus on building your app rather than building authentication systems.
Firebase Authentication is a powerful and reasonably easy to use tool that gives you(r app) the ability to authenticate your users using their preferred auth mechanism (rather than your proprietary system requiring your users to remember passwords for myriad sites).
If your users already have a Google, Microsoft, Facebook, Apple etc. account, enabling the relevant subset from these "additional providers" adds very little overhead to your code but increases the chances your users will already have an account that they can use.
In addition, because e.g. Google, Microsoft, Facebook, Apple is handling authentication for you, your app becomes simpler and, unless you choose the native providers (phone, email) (which you should probably not do) you don't have to take on the burden in being diligent in managing your users' credential (e.g. email, passwords etc).
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
It's considered good practice to remove listeners from Firebase databases (whether that be Cloud Firestore or Realtime Database) when the listening components are unmounted.
In a lot of applications, mine included (React Native app), this might not happen very often.
For example, when my user is authenticated (signed in), they are subscribed to a number of listeners on both RTDB and CFS. Things like notifications and messages and other "realtime" updates i want them to see app-wide - think notification "badges" for example or "unread messages".
Developers of Native applications will know that apps can remain "backgrounded" for long periods of time. And with auth refreshing, users will rarely log out of my application. This means that those components are never (or rarely) unmounted and thus, remain subscribed to updates - i think.
Should i be adding logic that removes those subscribers to realtime data when a user backgrounds the application, only to re-instate them when they foreground again?
What you're asking is primarily a matter of opinion, which is off-topic for Stack Overflow. That said, you should probably take some time to understand the ramifications of leaving listeners added indefinitely.
A listener that's not removed when the user isn't looking at your app still incurs the cost of downloading updates to the documents it's listening to. Whether or not that's acceptable is entirely up to you.
The host OS will likely throttle the network access of app that can't be seen by the user after some time. This is for the benefit of the user, so poorly implemented apps don't consume excess network and battery. You can't depend on these listeners to work properly when this happens. If you want listeners to stay active while the app isn't visible, you will need to tell the host OS what you want using whatever APIs it provides. Even then, you don't have any guarantees, as the OS may simply kill an invisible app in order to reclaims resources.
You will have to decide for yourself when it makes sense add and remove listeners, after you understand the behavior apps on the given OS.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
If I have a webapp (website) and I am posting data from the user's browser to Firebase, how does it prevent some other website or hackers from posting to my database?
If there is an API key or token, it is viewable from the traffic from the user's dev console. Can it be identified by which website the user is on, but even so, the hackers can spoof a website in the HTTP traffic data.
Without backend code, if I post 10 game coins for a user, how can I stop the user from posting 100 game coins to the same Firebase database if there is no server code to control that?
(there is a post about other hackers hacking it will be difficult, but what about a hacker hacking his own account?)
If I have a webapp (website) and I am posting data from the user's
browser to Firebase, how does it prevent some other website or hackers
from posting to my database?
It doesn't really "do" anything by default. You have to do something.
If there is an API key or token, it is viewable from the traffic from
the user's dev console. If it is identified by which website the user
is on, the hackers and spoof a website in the HTTP traffic data.
All traffic sent between client apps and Firestore is encrypted, usually over HTTPS or other encrypted socket, so it's not visible to anyone who can just see the stream of encrypted bytes between the client and server.
Without backend code, if I post 10 game coins for a user, how can I
stop the user from posting 100 game coins to the same Firebase
database if there is no server code to control that?
Your security rules will prevent that, but security rules might not be robust enough to stop unwanted changes. So you might need a backend for that. You shold always assume client code has been compromised, since it runs on hardware you don't control.
(there is a post about other hackers hacking it will be difficult, but
what about a hacker hacking his own account?)
When you use security rules (or whatever mechanism) to gate access to individual authenticated users, you should assume that the user isn't bound by the logic in the app. Someone can take their own auth token and use it in calls to Firebase services to do whatever they're allowed to do with that account. This is really not any different than any other permission system.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I know this may be not a good question.
I was asked a question: do we really need authentication among microservices. And I have no idea the answer. I did read some tutorials on SOA, microservices, and how to add authentication among the services. But I did not have too many ideas why we need authentication/authorization between microservices? Any use cases where they are required? Any use cases where they are not required? Any potential risk without authentication/authorization?
Any comments welcomed. It is better to give some practical examples. Thanks
Whether a microservice that you design and develop requires authentication is up to your functional requirements and the way you design it.
A common technique used is to not have authentication on each individual microservice but to group them together behind a common fascade (such as an API Manager). You can then apply authentication and other policies at one place - the policy enforcement point/API Manager - for "external" consumers while "internally", behind your common security boundary, your microservices remain lightweight and can call each other without authentication (if that makes sense for your usecase/requirements/architecture etc. etc.)
To sum up - it's a design decision that involves multiple tradeoffs.
Clearly, if you have a critical business service fetching or updating sensitive data, you might want only authorised callers to access it. But you might not want many internal callers (could be other microservices) running within your organisation's "trusted" network to be burdened with unnecessary policy enforcement.
But then, there might be situations where even internal callers need to authenticate properly (e.g. if it is a payment service)
Authentication/authorization in most cases is needed for microservices that provide public API, as they are available/visible for the World.
Why? Cause when someone from the World calls the API method, we (in most cases) want to know who the client is (do Authentication) and decide what client is allowed to do (do Authorization).
On the other hand, for internal microservices (in most cases) the client's are well-known as they are other internal microservices. So until you don't need to provide different restrictions of use for different internal microservices there is no need for authorization. Note that I assume that internal components only available within the organization.
If your organization is considered with internal threats (and why wouldn't they be?), then yes all microservices need to be protected from malicious use.